{ "id": "fec43f1c-9145-47ef-a73f-ce1d8b903f94", "created_at": "2026-04-06T00:06:35.568805Z", "updated_at": "2026-04-10T03:36:50.352383Z", "deleted_at": null, "sha1_hash": "615a17638fa484149c672d02624cf6268eb4cfa3", "title": "Peppy RAT - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54761, "plain_text": "Peppy RAT - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:12:24 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Peppy RAT\r\n Tool: Peppy RAT\r\nNames\r\nPeppy RAT\r\nPeppy Trojan\r\nCategory Malware\r\nType Backdoor, Keylogger, Info stealer, Downloader, Exfiltration\r\nDescription\r\n(Proofpoint) Peppy is a Python-based RAT with the majority of its appearances having\r\nsimilarities or definite overlap with MSIL/Crimson RAT appearances. Peppy\r\ncommunicates to its C\u0026C over HTTP and utilizes SQLite for much of its internal\r\nfunctionality and tracking of exfiltrated files. The primary purpose of Peppy may be the\r\nautomated exfiltration of potentially interesting files and keylogs. Once Peppy\r\nsuccessfully communicates to its C\u0026C, the keylogging and exfiltration of files using\r\nconfigurable search parameters begins. Files are exfiltrated using HTTP POST requests.\r\nIn addition to keylogging and the exfiltration of files, Peppy is also capable of accepting\r\ncommands from its C\u0026C to update itself, disable itself, exfiltrate a specific file, uninstall\r\nitself, execute a shell command, take screenshots, spawn a reverse shell, and download a\r\nremote file and execute it.\r\nInformation\r\n\u003chttps://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.peppy_rat\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:Peppy%20RAT\u003e\r\nLast change to this tool card: 29 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool Peppy RAT\r\nChanged Name Country Observed\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=23a7f4a8-9826-47a8-a7e8-1c4da9f44ca6\r\nPage 1 of 2\n\nAPT groups\r\n  Transparent Tribe, APT 36 2013-Mar 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=23a7f4a8-9826-47a8-a7e8-1c4da9f44ca6\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=23a7f4a8-9826-47a8-a7e8-1c4da9f44ca6\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=23a7f4a8-9826-47a8-a7e8-1c4da9f44ca6" ], "report_names": [ "listgroups.cgi?u=23a7f4a8-9826-47a8-a7e8-1c4da9f44ca6" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433995, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/615a17638fa484149c672d02624cf6268eb4cfa3.pdf", "text": "https://archive.orkl.eu/615a17638fa484149c672d02624cf6268eb4cfa3.txt", "img": "https://archive.orkl.eu/615a17638fa484149c672d02624cf6268eb4cfa3.jpg" } }